Crash [@ nsStyleContext::GetStyleDisplay] while trying to print

VERIFIED FIXED in mozilla1.9

Status

()

Core
Layout: Tables
--
critical
VERIFIED FIXED
9 years ago
6 years ago

People

(Reporter: Martijn Wargers (dead), Assigned: mats)

Tracking

({crash, testcase, verified1.8.1.15})

unspecified
mozilla1.9
x86
All
crash, testcase, verified1.8.1.15
Points:
---
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
See testcase, when clicking on the print button and then printing something,
current trunk builds of Mozilla crash.

http://crash-stats.mozilla.com/report/index/8f00214c-12df-11dd-92b9-001cc4e2bf68?p=1
0  	xul.dll  	nsIFrame::GetStyleDisplay  	 nsStyleStructList.h:95
1 	xul.dll 	nsCSSRendering::PaintBackgroundWithSC 	mozilla/layout/base/nsCSSRendering.cpp:3448
2 	xul.dll 	TableBackgroundPainter::PaintCell 	mozilla/layout/tables/nsTablePainter.cpp:634
3 	xul.dll 	TableBackgroundPainter::PaintRow 	mozilla/layout/tables/nsTablePainter.cpp:590
4 	xul.dll 	TableBackgroundPainter::PaintRowGroup 	mozilla/layout/tables/nsTablePainter.cpp:530
5 	xul.dll 	TableBackgroundPainter::PaintTable 	mozilla/layout/tables/nsTablePainter.cpp:446
6 	xul.dll 	nsTableFrame::PaintTableBorderBackground 	mozilla/layout/tables/nsTableFrame.cpp:1469
7 	xul.dll 	nsDisplayTableBorderBackground::Paint 	mozilla/layout/tables/nsTableFrame.cpp:1318
8 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
9 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
10 	xul.dll 	nsPageFrame::PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:562
11 	xul.dll 	PaintPageContent 	mozilla/layout/generic/nsPageFrame.cpp:403
12 	xul.dll 	nsDisplayGeneric::Paint 	mozilla/layout/base/nsDisplayList.h:862
13 	xul.dll 	nsDisplayList::Paint 	mozilla/layout/base/nsDisplayList.cpp:296
14 	xul.dll 	nsLayoutUtils::PaintFrame 	mozilla/layout/base/nsLayoutUtils.cpp:988
15 	xul.dll 	nsSimplePageSequenceFrame::PrintNextPage 	mozilla/layout/generic/nsSimplePageSequence.cpp:647
16 	xul.dll 	nsPrintEngine::PrintPage 	mozilla/layout/printing/nsPrintEngine.cpp:2368
17 	xul.dll 	nsPagePrintTimer::Notify 	mozilla/layout/printing/nsPagePrintTimer.cpp:90
18 	xul.dll 	nsTimerImpl::Fire 	mozilla/xpcom/threads/nsTimerImpl.cpp:403
19 	xul.dll 	nsTimerEvent::Run 	mozilla/xpcom/threads/nsTimerImpl.cpp:490
20 	xul.dll 	nsThread::ProcessNextEvent 	mozilla/xpcom/threads/nsThread.cpp:510
21 	xul.dll 	nsBaseAppShell::Run 	mozilla/widget/src/xpwidgets/nsBaseAppShell.cpp:170
22 	nspr4.dll 	PR_GetEnv 	
23 	firefox.exe 	wmain 	mozilla/toolkit/xre/nsWindowsWMain.cpp:87
24 	firefox.exe 	firefox.exe@0x217f 	
25 	kernel32.dll 	BaseProcessStart
(Reporter)

Comment 1

9 years ago
Created attachment 317715 [details]
testcase
(Assignee)

Updated

9 years ago
OS: Windows XP → All
Whiteboard: [sg:critical?]
(Assignee)

Comment 2

9 years ago
Created attachment 317773 [details] [diff] [review]
wallpaper

Wallpaper, until we find the real bug...
This file already have this wallpaper in another place:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/tables/nsTablePainter.cpp&rev=3.25&root=/cvsroot&mark=413-415#408
Attachment #317773 - Flags: review?(bernd_mozilla)

Updated

9 years ago
Group: security

Comment 3

9 years ago
Comment on attachment 317773 [details] [diff] [review]
wallpaper

The cited url was not wallpapering over a bug but rather defensive programming. I had a good share of crash bugs (one of them being a top crasher) after fantasai's paint patch landed, so the idea was to have a rather drastic assertion message that will ring all bells instead of having a exploitable array boundary violation.

I will do the core fix and then check if ff2 is also vulnerable.
Attachment #317773 - Flags: review?(bernd_mozilla) → review+
(Assignee)

Updated

9 years ago
Attachment #317773 - Flags: superreview?(roc)
Attachment #317773 - Flags: superreview?(roc) → superreview+
(Assignee)

Updated

9 years ago
Attachment #317773 - Flags: approval1.9?
Comment on attachment 317773 [details] [diff] [review]
wallpaper

a=mconnor on behalf of 1.9 drivers
Attachment #317773 - Flags: approval1.9? → approval1.9+
(Assignee)

Comment 5

9 years ago
mozilla/layout/tables/nsTablePainter.cpp 	3.26 

Filed bug 431087 on fixing the real bug.

-> FIXED
Assignee: nobody → mats.palmgren
Target Milestone: --- → mozilla1.9
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Assignee)

Comment 6

9 years ago
Comment on attachment 317773 [details] [diff] [review]
wallpaper

The testcase does not crash 2.0.0.14 on XP/Linux/OSX, but the code looks
the same on branch.  The patch is trivial so it might be worth taking
just in case...
Attachment #317773 - Flags: approval1.8.1.15?
Flags: in-testsuite?

Comment 7

9 years ago
> he patch is trivial so it might be worth taking just in case...
Exactly this should go onto branch, there is no need for gambling there.
Comment on attachment 317773 [details] [diff] [review]
wallpaper

approved for 1.8.1.15, a=dveditz for release-drivers
Attachment #317773 - Flags: approval1.8.1.15? → approval1.8.1.15+
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre. No crash with the testcase.
Status: RESOLVED → VERIFIED
(Assignee)

Comment 10

9 years ago
Checked in on MOZILLA_1_8_BRANCH:
mozilla/layout/tables/nsTablePainter.cpp 	3.13.6.1 
Keywords: fixed1.8.1.15

Comment 11

9 years ago
Mats can we change the assert to something less draconian? Like a warning for a "nsTablePainter error" I will know what it means. This bug should stay closed till bug 424377 is fixed.
Verified that the code got checked in. Also verified no crash in 2.0.0.14 and 2.0.0.15 (as said before).
Keywords: fixed1.8.1.15 → verified1.8.1.15
Group: security
Crash Signature: [@ nsStyleContext::GetStyleDisplay]
You need to log in before you can comment on or make changes to this bug.